Collection, use and disclosure of personal data in Montenegro is primarily governed by the PDPL.

In addition to this main law, other laws which contain relevant provisions on this subject are as follows:

• The Criminal Code (Official Gazette of Republic of Montenegro, No. 070/03, 013/04, 047/06, Official Gazette of Republic of Montenegro, No. 040/08, 025/10, 073/10, 032/11, 064/11, 040/13, 056/13, 014/15, 042/15, 058/15, 044/17, 049/18, 003/20, 026/21, 144/21, 145/21 and 110/23) — personal data and criminal record and criminal offences: (i) unauthorised collection and use of personal data; and (ii) violation of confidentiality of proceedings.
• Law on Criminal Proceedings (Official Gazette of Republic of Montenegro, No. 057/09, 049/10, 047/14, 002/15, 035/15, 058/15, 028/18, 116/20, 145/21 and 054/24) — collecting personal data for the purpose of conducting criminal proceedings.
• Law on Pension and Disability Insurance (Official Gazette of Republic of Montenegro, No. 054/03, 039/04, 061/04, 079/04, 081/04, 029/05, 014/07, 047/07, Official Gazette of Republic of Montenegro, No. 012/07, 013/07, 079/08, 014/10, 078/10, 034/11, 039/11, 040/11, 066/12, 036/13, 038/13, 061/13, 006/14, 060/14, 060/14, 010/15, 044/15, 042/16, 055/16, 080/20, 145/21, 145/21, 086/22, 099/23, 125/23 and 077/24) — usage of the data contained in the registry (i.e. civil/office registry).
• Law on the Prevention of Money Laundering and the Financing of Terrorism (Official Gazette of Republic of Montenegro, No. 110/23 and 065/24) — the financial intelligence unit, state bodies, state administration bodies, holders of public authority, taxpayers and their employees are obliged to use the personal data they receive in accordance with this law only for the purpose for which the personal data is intended.
• The Labor Law (Official Gazette of Republic of Montenegro, No. 074/19, 008/21, 059/21, 068/21, 145/21 and 077/24) — processing and use of the personal data of employees.
• The Law on Electronic Commerce (Official Gazette of Republic of Montenegro, No. 072/19) — electronic registers of organs and other entities cannot be stored on the information and communication infrastructure outside of Montenegro, and official addresses for electronic communication cannot be located outside of Montenegro and must be created under the national domain.
• The Law on Electronic Communications (Official Gazette of Republic of Montenegro, No. 040/13, 056/13, 002/17 and 049/19) — direct marketing, data retention, and infringement of personal data by the electronic communications controller.

There is a possibility that other laws and/or by-laws contain information concerning the protection of personal data, especially if they relate to a certain area of business, but here we have listed the regulations that are most often in use.

The Montenegrin PDPL is applied to data controllers, data processors, data subjects, data recipients and third parties.

Definitions:

• Data controller: a natural or legal person or public authority who processes personal data and determines the purposes and means of the processing of personal data.
• Data processor: a public authority, commercial enterprise, or other legal or natural person who performs tasks concerning the processing of personal data on behalf of the controller.
• Data subject: a natural person whose personal data is processed.

It is important to mention that the PDPL does not apply to the processing of personal data for the purposes of defence and national security, unless a special law provides otherwise, as well as to a natural person processing personal data for their personal purposes.

In relation to territorial scope of the law, the provisions of the Montenegrin PDPL apply in the following cases of processing of personal data:

• to controllers who process personal data in the territory of Montenegro or outside Montenegro, where the regulations of Montenegro are applied in accordance with international law; and
• to a personal data controller who is established outside Montenegro or does not reside in Montenegro, if the equipment used for processing is situated in the territory of Montenegro unless such equipment is used only for the purposes of transit of personal data through the territory of Montenegro.

Processing means any operation or set of operations performed on personal data or sets of personal data (whether automated or not), such as collecting, recording, organising, modifying, keeping, retrieving, using, accessing, disclosing, transmitting, classifying, combining, publishing, blocking and deleting.

Personal data under the Montenegrin PDPL is defined as any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is someone whose identity can be determined directly or indirectly, particularly based on identifiers such as name, personal identification number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

Pseudonymised data is subject to the PDPL and other laws, while anonymised data is not.

The Montenegrin PDPL stipulates special categories of personal data which are subject to higher protection, such as the following:

• race or ethnicity origin;
• sexual orientation/sex life; 
• health condition/medical data;
• trade union membership; 
• political, religious or philosophical beliefs; and
• biometric data.

Processing of personal data can be done:

• With previously obtained consent of the data subject, which can be withdrawn at any time.
• Without consent of the data subject if it is necessary for:
  • the performance of the legally prescribed obligations of the controller;
  • protection of life and other vital interests of a person;
  • execution of the contract if the person is a party to the contract or for taking actions at the request of the person before concluding the contract;
  • performing tasks of public interest or in the exercise of public powers; when the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Before giving consent, the data subject must be informed of this right, and the withdrawal of consent must be as easy as giving it.

In connection to exceptions, the obligation to inform data subjects does not apply when the processing is performed for statistical purposes or for the purposes of historical or scientific research; if the processing is expressly laid down by law if the provision of such information proves impossible; or if it would involve a disproportionate effort and the controller is obliged to apply appropriate safeguarding measures.

The PDPL recognises special types of processing: biometric measures, records of entry and exit from business or official premises, and video surveillance by the public sector, a company, another legal entity or an entrepreneur.

The processing of personal data related to criminal acts, imposed criminal and misdemeanour penalties or security measures can only be carried out by or under the supervision of a competent state body and if measures for protection of personal data are provided in accordance with the law.

Personal data shall be processed in accordance with data protection principles: 

• the processing shall be carried out in a lawful and transparent manner;
• data shall be collected for specific purposes;
• data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed; and
• data shall be accurate and, where necessary, kept up to date.

The data subject shall be informed by the controller prior to the beginning of processing of the identity of the controller, the purpose and legal ground for processing, storage period, transfer, and other obligatory information as prescribed by the PDPL.

The controller keeps records on the collections of personal data established. The controller is obliged to notify the Agency for Personal Data Protection of Montenegro (“Agency”) prior to establishment of an automated collection of personal data, and notification shall contain information prescribed by the PDPL.

Prior authorisation of the Agency is necessary when the controller intends to automatically process data, where such processing causes significant risk to rights and freedom of persons, particularly if special categories of data or biometric data are processed, if video surveillance of public areas is planned, or if processing of data related to assessment of personality, capabilities or behaviour is planned. 

The controller keeps records of third parties, i.e. users of personal data, personal data provided for use, the purpose for which it is provided, the legal basis for use and provision of data for use, and the time of use. The records are kept for a period of 10 years, after which the data from the records is deleted.

The relationship with other processors shall be regulated by an agreement whereby the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures (TOMs). 

Data subjects are guaranteed the following rights:

• The right of access. 
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The rights in relation to automated decision-making. 

When deciding on the rights, obligations, and interests of the person, the assessment of their personal characteristics and abilities (performance at work, reliability, creditworthiness, behaviour) that are important for decision-making may not be based exclusively on automatic data processing.

The PDPL stipulates that before processing personal data for direct marketing purposes, a data subject must be given the opportunity to object to data processing.

If special categories of personal data are used for direct marketing purposes, the consent of the data subject is necessary.

Prior authorisation of the supervisory authority is necessary when personal data that is processed can be exported from Montenegro to another country or given for use by an international organisation, which applies adequate personal data protection measures prescribed by this law.

Prior authorisation is not mandatory in situations where:

• the presentation of personal data is prescribed by a special law or an international agreement that binds Montenegro;
• prior consent has been obtained from the data subject and the data subject has been informed of the possible consequences of the disclosure of the data; 
• the transfer of personal data is necessary for the performance of a contract between a legal or natural person and the controller of the collection of personal data or for the fulfilment of pre-contractual obligations; 
• disclosure of personal data is necessary to save the life of the data subject or when it is in their interest; 
• disclosure of personal data is carried out from registers or records that, in accordance with the law or other regulations, are available to the public; 
• the data is transferred to Member States of the European Union and the European Economic Area or states that are on the list of the European Union that have an adequate degree of personal data protection; 
• the transfer of personal data is necessary for the realisation of public interest or for the realisation or protection of the legal interests of the data subject; or
• the controller concludes a contract which contains the corresponding contractual obligations accepted by the Member States of the European Union, with the processor of personal data from a country that is not a member of the European Union, etc.

According to the Montenegrin PDPL, in conducting supervision, the Agency carries out supervision using the following methods:

• issuing an order that irregularities in the processing of personal data be eliminated within a certain period;
• temporarily prohibiting the processing of personal data that is addressed contrary to this law;
• ordering the deletion of personal data collected without a legal basis;
• prohibiting the transfer of personal data from Montenegro or the provision of personal data to users of personal data contrary to this law; or
• prohibiting entrusting the processing of personal data when the processing of personal data does not meet the requirements regarding the protection of personal data or the entrustment of the said tasks was carried out contrary to this law.

The Agency has the right to access personal data contained in personal data collections, as well as the right to access files and other documentation.

Administrative sanctions

Acting/processing of personal data contrary to the law is a misdemeanour, whereby the fine ranges from EUR 500 to EUR 20,000 for the legal entity.

In addition, the individual responsible for the misdemeanour within the legal entity and natural persons can be fined from EUR 150 to EUR 2,000.

For entrepreneurs, the fine ranges from EUR 150 to EUR 6,000.

Criminal sanctions

The penalty for criminal offences (unauthorised acquisition or disclosure of personal data, collection or use of personal data in breach of the law/unauthorised assumption of another person’s identity) ranges from a monetary fine to a maximum of a three-year imprisonment term.

Civil remedies

Any person whose data protection-related rights have been violated can initiate a procedure for compensation of damages before the competent civil court.